r12158: added ldif handlers for the ntSecurityDescriptor attribute, so when

author Andrew Tridgell <tridge@samba.org>

Fri, 9 Dec 2005 23:43:02 +0000 (23:43 +0000)

committer Gerald (Jerry) Carter <jerry@samba.org>

Wed, 10 Oct 2007 18:47:16 +0000 (13:47 -0500)
author Andrew Tridgell <tridge@samba.org>
Fri, 9 Dec 2005 23:43:02 +0000 (23:43 +0000)
committer Gerald (Jerry) Carter <jerry@samba.org>
Wed, 10 Oct 2007 18:47:16 +0000 (13:47 -0500)
diff --git a/source/lib/ldb/samba/ldif_handlers.c b/source/lib/ldb/samba/ldif_handlers.c

index dab3552b014217b67ce6a54ed2340f1d59129077..6d2e4349cfb0036e75a2f61f2cbec8552824ec41 100644 (file)
--- a/source/lib/ldb/samba/ldif_handlers.c
+++ b/source/lib/ldb/samba/ldif_handlers.c
@@ -214,6 +214,65 @@ static int ldb_canonicalise_objectGUID(struct ldb_context *ldb, void *mem_ctx,
         return ldb_handler_copy(ldb, mem_ctx, in, out);
  }
  
+
+/*
+  convert a ldif (SDDL) formatted ntSecurityDescriptor to a NDR formatted blob
+*/
+static int ldif_read_ntSecurityDescriptor(struct ldb_context *ldb, void *mem_ctx,
+                                         const struct ldb_val *in, struct ldb_val *out)
+{
+       struct security_descriptor *sd;
+       NTSTATUS status;
+       const struct dom_sid *domain_sid = samdb_domain_sid(ldb);
+       if (domain_sid == NULL) {
+               return ldb_handler_copy(ldb, mem_ctx, in, out);
+       }
+       sd = sddl_decode(mem_ctx, (const char *)in->data, domain_sid);
+       if (sd == NULL) {
+               return -1;
+       }
+       status = ndr_push_struct_blob(out, mem_ctx, sd, 
+                                     (ndr_push_flags_fn_t)ndr_push_security_descriptor);
+       talloc_free(sd);
+       if (!NT_STATUS_IS_OK(status)) {
+               return -1;
+       }
+       return 0;
+}
+
+/*
+  convert a NDR formatted blob to a ldif formatted ntSecurityDescriptor (SDDL format)
+*/
+static int ldif_write_ntSecurityDescriptor(struct ldb_context *ldb, void *mem_ctx,
+                                          const struct ldb_val *in, struct ldb_val *out)
+{
+       struct security_descriptor *sd;
+       NTSTATUS status;
+       const struct dom_sid *domain_sid = samdb_domain_sid(ldb);
+
+       if (domain_sid == NULL) {
+               return ldb_handler_copy(ldb, mem_ctx, in, out);
+       }
+
+       sd = talloc(mem_ctx, struct security_descriptor);
+       if (sd == NULL) {
+               return -1;
+       }
+       status = ndr_pull_struct_blob(in, sd, sd, 
+                                     (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
+       if (!NT_STATUS_IS_OK(status)) {
+               talloc_free(sd);
+               return -1;
+       }
+       out->data = (uint8_t *)sddl_encode(mem_ctx, sd, domain_sid);
+       talloc_free(sd);
+       if (out->data == NULL) {
+               return -1;
+       }
+       out->length = strlen((const char *)out->data);
+       return 0;
+}
+
  static const struct ldb_attrib_handler samba_handlers[] = {
         { 
                 .attr            = "objectSid",
@@ -231,6 +290,14 @@ static const struct ldb_attrib_handler samba_handlers[] = {
                 .canonicalise_fn = ldb_canonicalise_objectSid,
                 .comparison_fn   = ldb_comparison_objectSid
         },
+       { 
+               .attr            = "ntSecurityDescriptor",
+               .flags           = 0,
+               .ldif_read_fn    = ldif_read_ntSecurityDescriptor,
+               .ldif_write_fn   = ldif_write_ntSecurityDescriptor,
+               .canonicalise_fn = ldb_handler_copy,
+               .comparison_fn   = ldb_comparison_binary
+       },
         { 
                 .attr            = "objectGUID",
                 .flags           = 0,
diff --git a/source/libcli/security/sddl.c b/source/libcli/security/sddl.c

index 643cb7a82c335249538e0a0c7c44a03a89a2b6b3..7d7fe856cd26ee41afbd23918f5c93a038b973c9 100644 (file)
--- a/source/libcli/security/sddl.c
+++ b/source/libcli/security/sddl.c
@@ -92,7 +92,7 @@ static const struct {
    It can either be a special 2 letter code, or in S-* format
  */
  static struct dom_sid *sddl_decode_sid(TALLOC_CTX *mem_ctx, const char **sddlp,
-                                      struct dom_sid *domain_sid)
+                                      const struct dom_sid *domain_sid)
  {
         const char *sddl = (*sddlp);
         int i;
@@ -172,7 +172,7 @@ static const struct flag_map ace_access_mask[] = {
    note that this routine modifies the string
  */
  static BOOL sddl_decode_ace(TALLOC_CTX *mem_ctx, struct security_ace *ace, char *str,
-                           struct dom_sid *domain_sid)
+                           const struct dom_sid *domain_sid)
  {
         const char *tok[6];
         const char *s;
@@ -259,7 +259,7 @@ static const struct flag_map acl_flags[] = {
  */
  static struct security_acl *sddl_decode_acl(struct security_descriptor *sd, 
                                             const char **sddlp, uint32_t *flags,
-                                           struct dom_sid *domain_sid)
+                                           const struct dom_sid *domain_sid)
  {
         const char *sddl = *sddlp;
         struct security_acl *acl;
@@ -316,7 +316,7 @@ static struct security_acl *sddl_decode_acl(struct security_descriptor *sd,
    decode a security descriptor in SDDL format
  */
  struct security_descriptor *sddl_decode(TALLOC_CTX *mem_ctx, const char *sddl,
-                                       struct dom_sid *domain_sid)
+                                       const struct dom_sid *domain_sid)
  {
         struct security_descriptor *sd;
         sd = talloc_zero(mem_ctx, struct security_descriptor);
@@ -408,7 +408,7 @@ failed:
    encode a sid in SDDL format
  */
  static char *sddl_encode_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
-                            struct dom_sid *domain_sid)
+                            const struct dom_sid *domain_sid)
  {
         int i;
         char *sidstr;
@@ -446,7 +446,7 @@ static char *sddl_encode_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
    encode an ACE in SDDL format
  */
  static char *sddl_encode_ace(TALLOC_CTX *mem_ctx, const struct security_ace *ace,
-                            struct dom_sid *domain_sid)
+                            const struct dom_sid *domain_sid)
  {
         char *sddl;
         TALLOC_CTX *tmp_ctx;
@@ -497,7 +497,7 @@ failed:
    encode an ACL in SDDL format
  */
  static char *sddl_encode_acl(TALLOC_CTX *mem_ctx, const struct security_acl *acl,
-                            uint32_t flags, struct dom_sid *domain_sid)
+                            uint32_t flags, const struct dom_sid *domain_sid)
  {
         char *sddl;
         int i;
@@ -527,7 +527,7 @@ failed:
    encode a security descriptor to SDDL format
  */
  char *sddl_encode(TALLOC_CTX *mem_ctx, const struct security_descriptor *sd,
-                 struct dom_sid *domain_sid)
+                 const struct dom_sid *domain_sid)
  {
         char *sddl;
         TALLOC_CTX *tmp_ctx;
diff --git a/source/torture/local/sddl.c b/source/torture/local/sddl.c

index 8d5874d8786e15846236557d95f2e9054486bc04..01f4d839d9734acb6c014d723be0fecc6d90956f 100644 (file)
--- a/source/torture/local/sddl.c
+++ b/source/torture/local/sddl.c
@@ -57,6 +57,13 @@ static BOOL test_sddl(TALLOC_CTX *mem_ctx, const char *sddl)
                 return False;
         }
  
+#if 0
+       /* flags don't have a canonical order ... */
+       if (strcmp(sddl, sddl2) != 0) {
+               printf("Failed sddl equality test\norig: %s\n new: %s\n", sddl, sddl2);
+       }
+#endif
+
         if (DEBUGLVL(2)) {
                 NDR_PRINT_DEBUG(security_descriptor, sd);
         }
author	Andrew Tridgell <tridge@samba.org>
	Fri, 9 Dec 2005 23:43:02 +0000 (23:43 +0000)
committer	Gerald (Jerry) Carter <jerry@samba.org>
	Wed, 10 Oct 2007 18:47:16 +0000 (13:47 -0500)
source/lib/ldb/samba/ldif_handlers.c		patch \| blob \| history
source/libcli/security/sddl.c		patch \| blob \| history
source/torture/local/sddl.c		patch \| blob \| history